Slack integration for Keeper Security that enables secure credential access requests, approval workflows, and one-time share links directly within Slack. Zero knowledge end-to-end encryption is preserved through the use of a self-hosted application container.
This app connects Slack with Keeper Commander Service Mode, allowing teams to:
- Request access to records and folders with approval workflows
- Generate one-time share links for external sharing
- Approve or deny PEDM (Privileged Elevation) requests
- Approve or deny Cloud SSO Device Approval requests
- Search records and folders by name or UID
The app uses Socket Mode, so no public endpoint is required.
The customer is responsible for hosting the Slack App and Commander Service Mode. Step by step setup instructions are available in the KeeperPAM Slack App integration page.
- Input Sanitization: All user inputs are sanitized to prevent command injection and URL injection attacks
- URL Injection Protection: Colons and forward slashes are filtered from user inputs to prevent phishing links
- Slack Mention Prevention:
@here,@channel, and@everyonementions are automatically removed - PAM Record Protection: PAM records are excluded from search results and cannot be shared via one-time links
- KSM Integration: Credentials are securely stored in Keeper Secrets Manager
- Docker URL Auto-Fix: Automatically converts
localhosttocommanderwhen running in Docker containers
- Docker and Docker Compose
- Keeper Commander
- Slack workspace with admin access
The easiest way to set up the Keeper Slack App is using the built-in setup command in Keeper Commander.
Before running the setup command, create your Slack app:
- Go to https://api.slack.com/apps and create a new app
- Use the manifest in
slack_manifest.yamlor configure manually:- Enable Socket Mode and generate an App-Level Token (
xapp-) - Add bot scopes:
chat:write,commands,im:write,users:read,channels:read - Create slash commands:
/keeper-request-record,/keeper-request-folder,/keeper-one-time-share - Enable the App Home tab
- Install the app to your workspace and copy the Bot Token (
xoxb-)
- Enable Socket Mode and generate an App-Level Token (
- Copy the Signing Secret from Basic Information
- Create a channel for approval requests and note its Channel ID
# Clone the Commander repository
git clone https://github.com/Keeper-Security/Commander.git
cd Commander
# Start Keeper shell and login
keeper shell
My Vault> login your@email.comMy Vault> slack-app-setupThis interactive command will guide you through the complete setup:
Phase 1: Docker Service Mode Setup
═══════════════════════════════════════════════════════════
Docker Setup
═══════════════════════════════════════════════════════════
[1/7] Checking device settings...
✓ Device already registered
✓ Persistent login already enabled
[2/7] Creating shared folder 'Commander Service Mode - Slack App'...
✓ Using existing shared folder
[3/7] Creating record 'Commander Service Mode Docker Config'...
✓ Using existing record
[4/7] Uploading config.json attachment...
✓ Config file uploaded successfully
[5/7] Creating Secrets Manager app 'Commander Service Mode - KSM App'...
✓ Using existing app
[6/7] Sharing folder with app...
✓ Folder shared with app
[7/7] Creating client device and generating config...
✓ Client device created successfully
✓ Docker Setup Complete!
Service Mode Configuration
═══════════════════════════════════════════════════════════
Service Mode Configuration
═══════════════════════════════════════════════════════════
Port [Press Enter for 8900]: 8900
Enable ngrok? [Press Enter for No] (y/n): n
Enable Cloudflare? [Press Enter for No] (y/n): n
✓ Service Mode Configuration Complete!
Phase 2: Slack App Configuration
═══════════════════════════════════════════════════════════
Slack App Configuration
═══════════════════════════════════════════════════════════
SLACK_APP_TOKEN:
App-level token for Slack App
Token (starts with xapp-): xapp-1-xxxxx-xxxxx-xxxxx
SLACK_BOT_TOKEN:
Bot token for Slack workspace
Token (starts with xoxb-): xoxb-xxxxx-xxxxx-xxxxx
SLACK_SIGNING_SECRET:
Signing secret for verifying Slack requests
Secret: xxxxx
APPROVALS_CHANNEL_ID:
Slack channel ID for approval notifications
Channel ID (starts with C): C0XXXXXXX
Enable PEDM? [Press Enter for No] (y/n): n
Enable Device Approval? [Press Enter for No] (y/n): n
✓ Slack Configuration Complete!
docker compose up -dThat's it! Your Keeper Slack App is now running.
docker compose logs -f| Action | Command |
|---|---|
| Start | docker compose up -d |
| Stop | docker compose down |
| Restart | docker compose restart |
| View logs | docker compose logs -f |
| Rebuild | docker compose build --no-cache |
| Check status | docker compose ps |
- Logs are persisted to
./logs/directory - Container auto-restarts unless explicitly stopped
- If using ngrok, the app includes the required
ngrok-skip-browser-warningheader
For development and testing without Docker:
# Create virtual environment
python3 -m venv keeper-env
# Activate it
source keeper-env/bin/activate # macOS/Linux
# or
keeper-env\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txtcp slack_config.example.yaml slack_config.yamlEdit slack_config.yaml:
slack:
app_token: "xapp-1-xxxxx"
bot_token: "xoxb-xxxxx"
signing_secret: "xxxxx"
approvals_channel_id: "C0XXXXXXX"
keeper:
service_url: "http://localhost:8900/api/v2/"
api_key: "your-keeper-api-key"
pedm:
enabled: false
polling_interval: 120
device_approval:
enabled: false
polling_interval: 120keeper shell --service-mode --port 8900python run_slack.pyRequest access to a Keeper record.
/keeper-request-record <record-uid-or-description> <justification>
Example:
/keeper-request-record kR3cF9Xm2Lp8NqT1uV6w Need access for deployment
Request access to a Keeper folder.
/keeper-request-folder <folder-uid-or-description> <justification>
Example:
/keeper-request-folder "Engineering Creds" Project onboarding
Request a one-time share link for a record.
/keeper-one-time-share <record-uid-or-description> <justification>
Example:
/keeper-one-time-share kR3cF9Xm2Lp8NqT1uV6w Share with contractor
- User runs a slash command with UID/description and justification
- Request is posted to the approvals channel
- Approver selects permission level and duration
- Approver clicks Approve or Deny
- User receives a DM with the result (access granted or denied)
Record permissions:
- View Only (time-limited)
- Can Edit (time-limited)
- Can Share (permanent only)
- Edit and Share (permanent only)
- Change Owner (permanent only)
Folder permissions:
- No Permissions (time-limited)
- Manage Users (permanent only)
- Manage Records (time-limited)
- Manage All (permanent only)
- 1 hour
- 4 hours
- 8 hours
- 24 hours
- 7 days
- 30 days
- Permanent
To enable PEDM polling during setup, answer y when prompted:
Enable PEDM? [Press Enter for No] (y/n): y
For local development, configure in slack_config.yaml:
pedm:
enabled: true
polling_interval: 120The app will poll for pending PEDM requests and post them to the approvals channel.
- Requests that have already been processed elsewhere show "Already processed (approved/denied elsewhere)"
- Approvers see clear status updates after each action
To enable Cloud SSO Device Approval during setup, answer y when prompted:
Enable Device Approval? [Press Enter for No] (y/n): y
For local development, configure in slack_config.yaml:
device_approval:
enabled: true
polling_interval: 120The app will poll for pending device approval requests and post them to the approvals channel.
Ensure Keeper Commander is running:
keeper shell --service-mode --port 8900For Docker: The app automatically converts localhost to commander in service URLs. If using a different container name, update your KSM record or config accordingly.
For host services: Use host.docker.internal to reach services running on your host machine.
- Verify the channel ID in config is correct
- Invite the bot to the channel:
/invite @Keeper Security
- Check that the app_token starts with
xapp- - Verify Socket Mode is enabled in Slack app settings
PAM records (pamDirectory, pamDatabase, pamMachine, pamUser, pamRemoteBrowser) are intentionally excluded from search results for security reasons.
One-time share links cannot be created for PAM records. Users will see a clear error message explaining this limitation.
If you see duplicate slash commands in Slack:
- Check if multiple apps with the same name are installed in your workspace
- Go to Slack Settings > Manage Apps and remove any duplicate installations
- Ensure only one app is registered with the slash commands
The slack-app-setup command automatically configures KSM for secure credential storage. All credentials are stored securely in your Keeper Vault and accessed via KSM - no plaintext configuration files are needed.
The setup command creates records containing:
Service Mode Configuration:
service_url- Service Mode API URLapi_key- Service Mode API key
Slack Configuration:
slack_app_token- Slack App Token (xapp-)slack_bot_token- Slack Bot Token (xoxb-)slack_signing_secret- Slack Signing Secretapprovals_channel_id- Channel ID for approval requestspedm_enabled- Enable PEDM polling (true/false)pedm_polling_interval- PEDM polling interval in secondsdevice_approval_enabled- Enable device approval polling (true/false)device_approval_polling_interval- Device approval polling interval in seconds
- Automated Setup Command: New
slack-app-setupcommand for one-step configuration - PAM Record One-Time Share Protection: One-time share blocked for PAM records with user-friendly error
- URL Injection Protection: Colons and forward slashes sanitized to prevent phishing links
- PEDM Already Processed Handling: Clear status when PEDM requests were processed elsewhere
- Cloud SSO Device Approval: Support for device approval polling and actions
- KSM Integration: Secure credential storage via Keeper Secrets Manager
- Consistent Input Sanitization: Slack markdown characters cleaned from all identifiers
- Simplified Logging: Cleaner credential fetch logs
Copyright 2025 Keeper Security Inc. Contact: commander@keepersecurity.com